Off the hook
It has been more than a month that I couldn’t write a single post. Previously I was able to find time to do some experiments when I come home. However after the recent silly attack to my poor RtooDtoo.net server, it took me really time to bring it back on its feet. I have still a list of security measures to do/improve on the server and firewall configuration etc but hectic life is sometimes preventing you from being prolific. In the mean time, temporarily I have put rtoodtoo.net server behind a Firefly Perimeter firewall and activated IDP service. It has been running around a week now and it has already blocked 15 BASH code injection attempts. I don’t really mind giving the list of my attack statistics actually. Here is the list;
root@fw1> show security idp attack table IDP attack statistics: Attack name #Hits DNS:AUDIT:AAAA-RR 21639 DNS:TRAFFIC-UDP 13197 HTTP:AUDIT:HTTP-VER-1.0 3904 HTTP:AUDIT:HTTP-1.0-HOST-HEADER 3898 HTTP:INFO:SPIDER-ROBOT 3620 HTTP:UA:MOBILE 3283 HTTP:UA:GOOGLEBOT 1707 DNS:REQUEST-RRTYPE-ANY 1493 HTTP:AUDIT:REMOTE-URL-IN-VAR 1261 HTTP:INFO:HTTPPOST-GETSTYLE 1143 HTTP:UA:MSN-BINGBOT 890 HTTP:AUDIT:ROBOTS.TXT 422 HTTP:SQL:INJ:GENERIC 197 HTTP:STC:SRVRSP:COMPRESSED 46 HTTP:AUDIT:UNWISE-CHAR 24 HTTP:PROXY:HTTP-PROXY-GET 21 HTTP:CGI:BASH-CODE-INJECTION 15 HTTP:DIR:PARAMETER-TRAVERSE 8 HTTP:EXPLOIT:SMALL-FIRST-DATA 7 DNS:REQUEST:REVERSE-LOOKUP 6 HTTP:PASSWD:COMMON 6 HTTP:UA:WGET 5 HTTP:PHP:WP-BRUTE-FORCE-LOGIN 4 HTTP:PHP:WP-SLIDER-REV-AFD 4 HTTP:UA:CRAZY-BROWSER 3 HTTP:UA:CURL 3 HTTP:CGI:NULL-ENCODING 2 HTTP:AUDIT:FW1-SCHEME-OF 1 HTTP:AUDIT:GENERIC-FMT-STR 1 HTTP:EXPLOIT:D-LINK-ADMIN-PW 1 HTTP:OVERFLOW:MISSING-VER-BO 1 HTTP:PHP:JOOMLA-ADMIN-SCAN 1 HTTP:PHP:WP-README-SCAN 1 HTTP:PHP:WP-XML-RPC-PINGBACK-PP 1 HTTP:REQERR:BIN-DATA-HEADER 1 HTTP:SQL:INJ:HEADER-1 1 HTTP:TUNNEL:PROXY 1
I am not blocking all of them of course. Otherwise site wouldn’t even run properly. Real attacks are blocked though. Title of the post is off the hook but I am not there yet. I have a bunch of things that I would like to write about. As soon as possible, I would like to write again. Maybe in a couple of days. Time will tell me.
Glad to see you are back on your feet. I see you are getting hit with dns record attacks too. I have been fighting these back against China for the last few months using Cisco Asa’s. I found it easier too block 99% of APNIC and RIPE. I then go back and will add very specific filters to allow valid caching or cdn servers located around the world. I don’t know yet how anyone COULD get a shell shock attack to work against my servers from the WAN but I have confirmed my Linux servers are vulnerable internally. I am very surprised someone with your experience and skill had an attack tasks you down for any length of time. Keep fighting the good fight and keep us posted on what you learn. Cheers!
Hi Joe,
I am not blocking these apps actually. The list contains the identified applications as well and I am blocking a few of them. As I am also keeping DNS server of rtoodtoo.net, the number of requests keep increasing slowly.
I see. I also noticed your hosting location and realize it would not be ideal for you to block RIPE’s networks like it is for me in the USA.
I’ve been following your site for awhile and would like the change to work with you. With your level of knowledge with Juniper equipment, are you available for any consulting opportunities at this time? If you don’t already know, Juniper is looking to hire for perm positions focusing on Junos Space. You have my email so if you are interested let me know through there.
Oh I just did some more searching and now realize you are already with Juniper. That makes sense.
Hi, nice blog! Possible to get the IDP configuration you created?
Thanks
Anders,
As I was testing the policy config, I have used the default web server policy templates coming with the IDP installation. Nothing special.
Genco.